Vendor questionnaires and evidence requests: why compliance admin is becoming automatable

The hundredth time you typed the same answer

The answer-once estate is a single governed library of approved security answers, each tied to live evidence and owned by a named person, published before the buyer asks. A vendor benchmark puts manual completion at 10–40 hours per questionnaire, with large enterprise sellers receiving several hundred a year [8].

A founder at a 30-person UK SaaS firm opens the inbox on a Monday and finds the question again: "Do you encrypt data at rest?" The answer is yes. It was yes last Tuesday, when a different buyer asked it inside a 280-question spreadsheet. It was yes in March, phrased as control IAM-09 in a CAIQ. It was yes in the supplier portal that timed out twice. The same true fact, re-typed for the hundredth buyer, each time as if nobody had ever asked. Nobody is assessing anything new in those keystrokes. A fact that has not changed is simply being re-narrated, on demand, to whoever asks loudest.

Here is the bet this briefing is willing to lose on. Most advice on security questionnaires is about speed: answer the form faster, buy a tool that types quicker. We think speed is the wrong target. The win is reuse. Answer each question once, govern that answer, tie it to its proof, and publish it before the buyer asks. If a firm that built a maintained answer estate does not clear supplier assurance faster, and lose fewer deals to "still waiting on your security review", than a firm that keeps starting each questionnaire from a blank cell, we are wrong. The rest of this briefing is why we think we are not.

“A fact that has not changed is simply being re-narrated, on demand, to whoever asks loudest.”

How heavy is the questionnaire load, really?

Heavy enough to stall a sales cycle, light enough to be invisible on any budget line. There is no single audited UK figure for questionnaire volume, so treat what follows as one named vendor benchmark, not regulation. Steerlab reports vendors in regulated markets receiving anywhere from 20–30 questionnaires a year at the small end to 50–100 in the mid-market and several hundred for large enterprise sellers. It puts the time to complete one manually at 10–40 hours, rising with a 280- or 400-question pack [8]. A well-prepared team can clear an 80–100 question assessment in roughly a day. A 400-question due-diligence pack can eat an engineer-week [8]. The figures sit at the soft end of the evidence base, so read them as direction, not gospel.

The cost lands in two places at once. The obvious one is the hours: senior security and engineering time, the scarcest in a small firm, spent re-typing settled facts. The quieter one is the deal. Questionnaires arrive with tight turnaround windows of five business days or less [8], and a slow assurance answer is a procurement gate that holds revenue you have already won. That is the real bill. Not the typing. The waiting buyer who has not yet signed because your security review is "still in progress".

Why now? The request is becoming a standing requirement

Watch what changed on the buyer's side, because that is the tell. In December 2025 the NCSC published its Cyber Essentials Supply Chain Playbook, a seven-step method for making supplier security a standing condition of doing business rather than a one-off email [1]. It ships with the IASME Supplier Check tool, which lets a buyer upload up to 5,000 suppliers and verify in bulk who holds Cyber Essentials or Cyber Essentials Plus [1]. The direction is unmistakable: assurance is moving from an ad-hoc favour you grant into a recurring requirement you must keep meeting.

And the gap the Playbook is closing is wide. It cites that only 14% of firms are on top of the cyber risks posed by their immediate suppliers, while 43% of UK businesses suffered a cyber attack in the past year [1]. Cyber Essentials itself is the government's recommended minimum standard, run by the NCSC through its delivery partner IASME, and a growing number of organisations require suppliers to be certified to bid for work [5]. Be precise about what that does and does not mean. Cyber Essentials is not a blanket legal mandate on every SME. It is a contractual gate that more buyers are choosing to put in front of you. The request is not going away. It is becoming furniture.

“Assurance is moving from an ad-hoc favour you grant into a recurring requirement you must keep meeting.”

Do the standards reward speed or a maintained estate?

Look closely at the frameworks driving the requests and you find they are not asking for speed at all. They are asking for a maintained estate of controls and proof. The same handful of questionnaires recur across many buyers: SIG, CAIQ and the CIS Controls are among the most commonly used vendor-risk questionnaires [2]. The Shared Assessments SIG (Standardized Information Gathering) questionnaire is structured across 21 risk domains, from access control to AI and supply-chain risk management, and is regularly updated to track new threats [3]. The Cloud Security Alliance's Cloud Controls Matrix carries 197 control objectives across 17 domains, and from version 4.1 the CAIQ, the yes/no questionnaire cloud buyers send, is merged straight into it [4]. These are not forms you sprint through once. They are inventories of things that must be true about your business and stay true.

That structure is the case for reuse, made by the standards bodies themselves. The whole point of SIG and CAIQ was to let a vendor complete one full assessment and share it across many buyers instead of answering a bespoke spreadsheet for each [8][3][4]. The standard already wants you to answer once and reuse. The firm still copy-pasting last quarter's spreadsheet into this quarter's portal is fighting a problem the framework was explicitly designed to remove. Match your answers to the SIG domains and the CCM controls once, govern them, and every future questionnaire becomes a mapping exercise, not a writing exercise.

“Match your answers to the SIG domains and the CCM controls once, and every future questionnaire becomes a mapping exercise, not a writing exercise.”

What is the answer-once estate?

Give it a name and the work stops being a chore and becomes an asset. The answer-once estate is a single governed library of approved answers, each tied to the live evidence that proves it and each owned by a named person who keeps it true, published where possible before the buyer asks. It has three parts: the approved answer (what you say), the evidence (the policy, the certificate, the configuration screenshot that backs it), and the owner (the human who signs that it is still accurate). Miss any one and you do not have an estate. You have a folder of stale text.

This is exactly the shape the market's tools have converged on. Vanta builds a knowledge base of your security posture from previous questionnaires and reports its AI answering 80% or more of incoming questions automatically [9]. Conveyor runs a retrieval engine it markets at 95% answer accuracy and a self-service trust centre, so the buyer retrieves proof without a human re-typing it [10]. Whistic lets vendors publish a profile to eliminate endless questionnaire requests. SafeBase, acquired by Drata in February 2025 in a deal reported at around $250m, built the trust-centre category, with organisations publishing posture rather than answering email [7]. Every one of them sells the same move: stop answering, start publishing. That convergence is the signal. Each rival has bet its roadmap on the same idea independently, which is about as close to market consensus as a young category gets.

MikaHari's view: govern the estate, automate the drafting, sign the answer yourself

So here is the verdict, plainly. Do not start by answering questionnaires faster. Start by building the answer-once estate, then let AI draft from it. The capability is real and bounded. Tools draft most of a response from your approved knowledge base (Vanta cites 80%+ of questions answered [9], Conveyor markets 95% answer accuracy [10]), which is precisely why the work is becoming automatable. But scope the automation honestly. AI is excellent at the retrieval and the first draft. It is not the thing that knows your MFA policy changed last week, and it must never be the final word on whether an answer is still true. Keep a named, competent human accountable for sign-off. Both because a wrong assurance answer is a liability you have signed, and because where any decision is solely automated with a legal or similarly significant effect, a person has the right to human intervention to contest it [6]. That bar is about regulated decisions, not the questionnaire itself, but it is the right instinct to carry into the sign-off.

The mistake costs deals: keep treating each questionnaire as a fresh chore, lose the week, lose the buyer who went with the vendor whose trust profile answered before they asked. The win compounds: answer once, govern it, publish it, and let the hundred-and-first request resolve itself while you keep the human signature where the liability sits. Answer once. Govern the proof. Sign it yourself. The questionnaire was never the work. The standing truth behind it was.